ap-auth-openidc: update to version 2.4.19.3
== 2.4.19.3
The 2.4.19.x versions use a backwards incompatible session format so existing sessions
(created by versions <=2.4.18.x) are invalid.
Security
* code: fix >25 cases of potential string/URL matching attacks, XSS attacks,
buffer overload etc.
* config: fix low-risk - insider admin attack based- security vulnerabilities
* log: do not log refresh tokens at warn/error levels
== 2.4.19
Features
* cookie: support individual SameSite cookie settings on the session cookie, state
cookie and Discovery CSRF cookie by adding 2 more arguments to OIDCCookieSameSite
* id_token: add off option to OIDCPassIDTokenAs so no claims from the ID token will
[96 lines not shown]
cjose: update to 0.6.2.6
0.6.2.6
* **Security fix**: AES-CBC-HMAC JWE encryption used an all-zero content-encryption key.
`_cjose_jwe_set_cek_aes_cbc` inverted the "random" flag and zero-filled the CEK instead
of generating it from `RAND_bytes`. Every JWE produced with an AES-CBC-HMAC `enc`
(A128CBC-HS256 / A192CBC-HS384 / A256CBC-HS512) combined with a non-`dir` key-management
`alg` (A128/192/256KW, RSA-OAEP, RSA1_5) was encrypted and authenticated under an
all-zero key, breaking confidentiality and integrity for those ciphertexts. The `dir`
algorithm and all AES-GCM `enc` values were not affected. Adds a regression test.
* Additional hardening from a security audit of `jwe.c` / `jwk.c` / `jws.c`:
* Fix EVP_CIPHER_CTX leak in AES-CBC content encryption on authentication-tag failure
* Avoid NULL dereference of the optional `cjose_err` in ECDH-ES key decryption
* Use a constant-time comparison for the multi-recipient CEK consistency check
* Cleanse private key material (RSA/EC/oct) on JWK import and export, and fix a leak of
the base64url buffer in EC private-key export
* Check the ephemeral-key allocation in ECDH key derivation
* Use integer arithmetic (instead of floating-point) for the base64url length check on
imported JWK fields
[32 lines not shown]
lyx: update to 2.5.1
version 2.5.1?
--------------
This release fixes a number of mostly minor bugs in 2.5.0. One important fix
concerns crashes when exiting LyX on OSX, specifically when documents are still
open. We have also fixed a handful of bugs with the new input method support.
version 2.5.0?
--------------
The new features in LyX 2.5 are detailed in
https://wiki.lyx.org/LyX/NewInLyX25
The major changes include:
* Update the cross-referencing framework to allow additional backends
(e.g., zref and cleverref) and to allow range references (e.g., sections
[69 lines not shown]
texstudio: update to 4.9.5
TeXstudio 4.9.5
* fix crash when setting explicit root doc
* improve handling collaboration with teamtype
* workaround win11 style, invisible red background when text not found in searchpanel
* keep folder structure of imported macros if more than one macro is imported
* highlight more tex symbol as keyword
* fix addresource bibfile when using citation-style-language
TeXstudio 4.9.4
* disable AI wizard by default
* enable LLM to use tool functions to access the current document. This allows LLM
to manipulate the document directly. This can be disabled.
* fix losing cursor position when view width changes (soft wrap)
* fix file detection in TOC when creating new file from include/input
* improve loading speed with large projects
* add find definitions on multiple defined labels
* improve information when loading log is rejected because of size
[294 lines not shown]
texworks: update to 0.6.11
Release 0.6.11 (TL'26) [February 2026]
* Add additional cleanup patterns for LaTeXmk, biblatex, minitoc
* List dictionary folders in the "Settings & Resources" dialog
* Include prefix in selection if at the beginning of a line
* Properly report version info in Windows installer
* Make spell checker backend accept multiple languages
* Update translations
* Switch to build with Qt6 by default
* Refactor and modernize parts of the code
* Update URLs
* Enlarge drawing rect to avoid artifacts in the PDF preview
* Fix magnifier shadow position when ruler is shown
* Correctly detect PDF 2.x
* Fix Scripts menu for nested folders
* Fix error handling of QSaveFile::commit
[23 lines not shown]
www/chromium: update to 149.0.7827.114
* 149.0.7827.114
This update includes 28 security fixes. Below, we highlight fixes
that were contributed by external researchers.
Please see the Chrome Security Page for more information.
* 149.0.7827.102
This update includes 74 security fixes. Below, we highlight fixes
that were contributed by external researchers.
Please see the Chrome Security Page for more information.
esbuild: update to 0.28.1
- Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)
- Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
- Avoid inlining using and await using declarations (#4482)
- Fix module evaluation when an error is thrown (#4461, #4467)
- Fix some edge cases around the new operator (#4477)
- Fix renaming of nested var declarations (#4471)
- Emit var instead of const for certain TypeScript-only constructs for ES5 (#4448)
py-python-discovery: updated to 1.4.2
Bug fixes - 1.4.2
- Stop executable symlink resolution once the stdlib landmark is reachable and keep macOS framework builds untouched,
matching ``getpath`` - Homebrew interpreters no longer get version-pinned ``Cellar`` paths recorded and stable
aliases such as Debian's ``/usr/bin/python3`` are preserved
Bug fixes - 1.4.1
- Resolve executable-only symlinks when computing ``system_executable``, mirroring CPython's ``getpath.realpath``
(python/cpython115237): a symlink to the interpreter binary now resolves to the real interpreter, while a fully
symlinked interpreter tree is kept as-is
py-starlette: updated to 1.3.1
1.3.1 (June 12, 2026)
Fixed
* Enforce `max_fields` and `max_part_size` in `FormParser`
* Enforce `FormParser` limits in parser callbacks
1.3.0 (June 11, 2026)
Added
* Add `httpx2` to the `full` extra
* Annotate the `URLPath` `protocol` parameter with `Literal`
py-pdf: updated to 6.13.2
6.13.2, 2026-06-10
Security (SEC)
- Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV
Robustness (ROB)
- Fix UnboundLocalError in _read_standard_xref_table on a malformed entry
- Raise PdfStreamError on non-hexadecimal bytes in hex readers
